Introduction
Ten years after the first commit, Kubernetes is not exciting in the way it was in 2015. That’s a compliment. The system is stable. The APIs are mature. The migrations — dockershim, PSP, cloud provider code — are behind us.
What the 1.33–1.35 cycle shows is a project focused on precision: removing edge cases, promoting long-running alpha features to stable, and making the scheduler, storage, and security model more correct rather than more powerful. That’s what a mature infrastructure platform looks like.
Here’s what happened and where the project is headed.
Kubernetes 1.33 — Sidecar Resize, In-Place Resize Beta (April 2025)
Code name: Octarine
In-Place Pod Vertical Scaling reaches Beta
After landing as alpha in 1.27, in-place pod resource resizing became beta in 1.33 — enabled by default via the InPlacePodVerticalScaling feature gate.
The capability: change CPU and memory requests/limits on a running container without terminating and restarting the pod.
# Resize a running container's CPU limit without restart
kubectl patch pod api-pod-xyz --type='json' -p='[
{
"op": "replace",
"path": "/spec/containers/0/resources/requests/cpu",
"value": "2"
},
{
"op": "replace",
"path": "/spec/containers/0/resources/limits/cpu",
"value": "4"
}
]'
# Verify the resize was applied
kubectl get pod api-pod-xyz -o jsonpath='{.status.containerStatuses[0].resources}'
Why this matters operationally: Before in-place resize, vertical scaling meant terminating the pod, losing in-memory state, waiting for a new pod to become ready. For databases with warm buffer pools, JVM applications with loaded heap caches, or any workload where startup cost is significant, this was a serious limitation. Vertical Pod Autoscaler (VPA) worked around it by restarting pods — acceptable for stateless workloads, problematic for stateful ones.
In 1.33, resizing also works for sidecar containers, combining two 1.32-stable features.
Sidecar Containers — Full Maturity
The first feature to formally combine sidecar and in-place resize: you can now vertically scale a service mesh proxy (Envoy sidecar) without restarting the application pod. For high-traffic services where the proxy itself becomes the CPU bottleneck, this is directly actionable.
Gateway API v1.4 (October 2025)
Gateway API continued its rapid iteration with v1.4:
BackendTLSPolicy (Standard channel): Configure TLS between the gateway and the backend service — not just TLS termination at the gateway, but end-to-end encryption:
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: api-backend-tls
spec:
targetRefs:
- group: ""
kind: Service
name: api-service
validation:
caCertificateRefs:
- name: internal-ca
group: ""
kind: ConfigMap
hostname: api.internal.corp
Gateway Client Certificate Validation: The gateway can now validate client certificates — mutual TLS for ingress traffic, not just between services.
TLSRoute to Standard: TLS routing (based on SNI, not HTTP host headers) graduated to the standard channel — enabling TCP workloads with TLS passthrough through the Gateway API model.
ListenerSet: Group multiple Gateway listeners — useful for shared infrastructure where multiple teams need to attach routes to the same gateway without managing separate Gateway resources.
Kubernetes 1.34 — Scheduler Improvements, DRA Continues (August 2025)
The 1.34 release focused on the scheduler and Dynamic Resource Allocation:
DRA structured parameters stabilization: The Dynamic Resource Allocation API matured its parameter model — resource drivers can expose structured claims that the scheduler understands, enabling topology-aware placement of GPU workloads:
apiVersion: resource.k8s.io/v1alpha3
kind: ResourceClaim
metadata:
name: gpu-claim
spec:
devices:
requests:
- name: gpu
deviceClassName: gpu.nvidia.com
selectors:
- cel:
expression: device.attributes["nvidia.com/gpu-product"].string() == "A100-SXM4-80GB"
count: 2
Scheduler QueueingHint stable: Plugins can now tell the scheduler when to re-queue a pod for scheduling — instead of the scheduler periodically retrying all unschedulable pods, plugins signal when relevant cluster state has changed. This significantly reduces scheduler CPU consumption in large clusters with many unschedulable pods.
Fine-grained node authorization improvements: Kubelets can now be restricted from accessing Service resources they don’t need — further reducing the blast radius of a compromised kubelet.
Kubernetes 1.35 — In-Place Resize GA, Memory Limits Unlocked (December 2025)
In-Place Pod Vertical Scaling Graduates to Stable
After landing in alpha (1.27), beta (1.33), in-place resize graduated to GA in 1.35. Two significant improvements accompanied GA:
Memory limit decreases now permitted: Previously, you could increase memory limits in-place but not decrease them. The restriction existed because the kernel doesn’t immediately reclaim memory when the limit is lowered — the OOM killer would need to run. 1.35 lifts this restriction with proper handling: the kernel is instructed to reclaim, and the pod status reflects the resize progress.
Pod-Level Resources (alpha in 1.35): Specify resource requests and limits at the pod level rather than per-container — with in-place resize support. Useful for init containers and sidecar patterns where total pod resources matter more than per-container allocation.
spec:
# Pod-level resources (alpha) — total budget for all containers
resources:
requests:
cpu: "4"
memory: "8Gi"
containers:
- name: application
image: myapp:latest
# No per-container resources; pod-level applies
- name: log-collector
image: fluentbit:latest
restartPolicy: Always # sidecar
Other 1.35 Highlights
Topology Spread Constraints improvements: Better handling of unschedulable scenarios — whenUnsatisfiable: ScheduleAnyway now has smarter fallback behavior.
VolumeAttributesClass stable: Change storage performance characteristics (IOPS, throughput) of a PersistentVolume without re-provisioning — the storage equivalent of in-place pod resize.
# Change volume IOPS without re-provisioning
kubectl patch pvc database-pvc --type='merge' -p='
{"spec": {"volumeAttributesClassName": "high-performance"}}'
Job success policy improvements: Declare a Job successful when a subset of pods complete successfully — for distributed training jobs where not all workers need to finish.
What’s in Kubernetes 1.36 (April 22, 2026)
Kubernetes 1.36 is on track for April 22, 2026 release. Based on the enhancement tracking and KEP (Kubernetes Enhancement Proposal) pipeline, expected highlights include:
- DRA continuing toward stable
- Pod-level resources moving to beta
- Scheduler improvements for AI/ML workload placement
- Further Gateway API integration as core networking model
The project has reached a rhythm: four releases per year, each focused on advancing a predictable set of features through alpha → beta → stable. The drama of the 2019–2022 period (PSP, dockershim, API removals) is behind it.
The State of the Ecosystem in 2026
Control Plane Deployment Models
| Model | Examples | Best For |
|---|---|---|
| Managed (cloud provider) | GKE, EKS, AKS | Most organizations; no control plane ops |
| Self-managed | kubeadm, k3s, Talos | Air-gapped, on-prem, specific compliance requirements |
| Managed (platform) | Rancher, OpenShift | Enterprises that need multi-cluster management + vendor support |
CNI Landscape
| CNI | Model | Notable Feature |
|---|---|---|
| Cilium | eBPF | kube-proxy replacement, network policy at kernel, Hubble observability |
| Calico | eBPF or iptables | BGP-based networking, hybrid cloud routing |
| Flannel | VXLAN/host-gw | Simple, low overhead, no network policy |
| Weave | Mesh overlay | Easy multi-host setup |
eBPF-based CNIs (Cilium, Calico in eBPF mode) are now the default recommendation for production clusters. The iptables era of Kubernetes networking is ending.
Security Stack in 2026
A hardened Kubernetes cluster in 2026 runs:
Cluster provisioning: Cluster API + GitOps (Flux/ArgoCD)
Admission control: Pod Security Admission (restricted) + Kyverno or OPA/Gatekeeper
Runtime security: Falco (eBPF-based syscall monitoring)
Network security: Cilium NetworkPolicy + Cilium Cluster Mesh for multi-cluster
Image security: Cosign signing in CI + admission webhook for signature verification
Secret management: External Secrets Operator → HashiCorp Vault or cloud KMS
Observability: Prometheus + Grafana + Hubble (network flows) + OpenTelemetry
The Permanent Principles That Haven’t Changed
Looking across twelve years and 35 minor versions, some things have not changed:
The API as the universal interface: Everything in Kubernetes is a resource. This remains the most important architectural decision — it makes every tool, every controller, every GitOps system work with the same model.
Reconciliation loops: Every Kubernetes controller watches actual state and drives it toward desired state. The controller pattern from 2014 is unchanged. CRDs and Operators are just more instances of it.
Labels and selectors: The flexible grouping mechanism from 1.0 is still the primary way Kubernetes components find each other. Services find pods. HPA finds Deployments. Operators find their managed resources.
Declarative, not imperative: You describe what you want. Kubernetes figures out how to achieve and maintain it. This principle, inherited from Borg’s BCL configuration, underlies everything from Deployments to Crossplane’s cloud resource management.
What’s Coming: The Next Five Years
WebAssembly on Kubernetes: The Wasm ecosystem (wasmCloud, SpinKube) is building toward running WebAssembly workloads as first-class Kubernetes pods — near-native performance, smaller images, stronger isolation than containers. Still early, but gaining real adoption.
AI inference as infrastructure: LLM serving is becoming a cluster primitive. Tools like KServe and vLLM on Kubernetes are moving from research to production. The scheduler, resource model, and networking will continue adapting to inference workload patterns.
Confidential computing: AMD SEV, Intel TDX, and ARM CCA provide hardware-level memory encryption for pods. The RuntimeClass mechanism and ongoing kernel work are making confidential Kubernetes workloads operational rather than experimental.
Leaner distributions: k3s, k0s, Talos, and Flatcar-based minimal Kubernetes distributions are growing in adoption for edge, IoT, and resource-constrained environments. The pressure is toward smaller, more auditable control planes.
Key Takeaways
- In-place pod vertical scaling went from alpha (1.27) to stable (1.35) — live CPU and memory resize without pod restart changes the economics of stateful workload management
- Gateway API v1.4 completes the ingress replacement story: BackendTLSPolicy, client certificate validation, and TLSRoute in standard channel
- VolumeAttributesClass stable (1.35): Change storage performance in-place — the storage parallel to pod resource resize
- The eBPF era of Kubernetes networking is established: Cilium as default CNI in GKE, growing in EKS/AKS, replacing iptables-based kube-proxy
- The Kubernetes project in 2026 is focused on precision — promoting mature features to stable, reducing edge cases, improving scheduler efficiency — not adding new abstractions
- WebAssembly, confidential computing, and AI inference scheduling are the frontiers to watch
Series Wrap-Up
| Era | Defining Change |
|---|---|
| 2003–2014 | Borg and Omega build the playbook internally at Google |
| 2014–2016 | Kubernetes 1.0, CNCF, and winning the container orchestration wars |
| 2016–2018 | RBAC stable, CRDs, cloud providers all-in on managed K8s |
| 2018–2020 | Operators, service mesh, OPA/Gatekeeper — the extensibility era |
| 2020–2022 | Supply chain crisis, PSP deprecated, API removals, dockershim exit |
| 2022–2023 | Dockershim and PSP removed, eBPF networking takes over |
| 2023–2025 | GitOps standard, sidecar stable, DRA, AI/ML workloads |
| 2025–2026 | In-place resize GA, VolumeAttributesClass, Gateway API complete |
From 47,501 lines of Go in a 250-file GitHub commit to the operating system of the cloud — and still reconciling.
← EP07: Platform Engineering Era
Series: Kubernetes: From Borg to Platform Engineering | linuxcent.com
